CyberManipal.

Tech news from MIST

Microsoft Exchange Server vulnerabilities exploited for financial fraud

Breaches
@RuchiraGarai

Ruchira Garai

February 15, 2022

The combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers is being used to conduct financial fraud through email hijacking. On Tuesday, researchers from Sophos revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam. While the ProxyLogon/ProxyShell vulnerabilities are now well-known, some servers are still unpatched and open to attacks. The recent case documented by Sophos combined the Microsoft Exchange Server flaws with Squirrelwaffle, a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails. If an intended victim enables macros in the weaponized documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script. Customer data was taken, and a victim organization was selected. The attackers registered a domain with a name very close to the victim (a technique known as typo-squatting) and then created email accounts through this domain to reply to the email thread outside of the server. Over six days, the attackers tried to direct a legitimate financial transaction to a bank account they owned. The payment was on its way to being processed, and it was only due to a bank involved in the transaction realizing the transfer was likely fraudulent that the victim did not fall prey to the attack.

Abridged fromZDNet

Click here to see the original post

Share this article